Bitlocker.adoc

DSC Resource 'Bitlocker'

Bitlocker allows you to configure Bitlocker on a single disk, configure a TPM chip, or automatically enable Bitlocker on multiple disks.

Source	https://github.com/dsccommunity/CommonTasks/tree/main/source/DSCResources/Bitlocker
DSC Resource	xBitlocker
Documentation	xBLTpm, xBLBitlocker, xBLAutoBitlocker

Table 1. Attributes of category 'Bitlocker'

Parameter	Attribute	DataType	Description	Allowed Values
TPM		Hashtable	initialize a TPM chip
Disks		Hashtable[]	List of disks to encrypt System drive must be specified at first in the list.
AutoDisks		Hashtable[]	Automatically enable Bitlocker on drives of type Fixed or Removable. It does not work on Operating System drives.

Table 2. Attributes of category 'Bitlocker/TPM'

Parameter	Attribute	DataType	Description	Allowed Values
AllowClear		Boolean	Indicates that the provisioning process clears the TPM, if necessary, to move the TPM closer to complying with Windows Server 2012 standards.	True False
AllowPhysicalPresence		Boolean	Indicates that the provisioning process may send physical presence commands that require a user to be present in order to continue.	True False
AllowImmediateReboot		Boolean	Whether the computer can rebooted immediately after initializing the TPM.	True False

Table 3. Attributes of category 'Bitlocker/Disks'

Parameter	Attribute	DataType	Description	Allowed Values
MountPoint	Key	String	The MountPoint name as reported in Get-BitLockerVolume
PrimaryProtector	Mandatory	String	The type of key protector that will be used as the primary key protector	PasswordProtector RecoveryPasswordProtector StartupKeyProtector TpmProtector
AutoUnlock		Boolean	Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock	True False
AllowImmediateReboot		Boolean	Whether the computer can be immediately rebooted after enabling Bitlocker on an OS drive.	True False (default)
AdAccountOrGroup		String	Specifies an account using the format Domain\User.
AdAccountOrGroupProtector		Boolean	Indicates that BitLocker uses an AD DS account as a protector for the volume encryption key.	True False
EncryptionMethod		String	Specifies the encryption algorithm to be used on the volume	Aes128 Aes256
HardwareEncryption		Boolean	Indicates that the volume uses hardware encryption.	True False
Password		PSCredential	Specifies a secure string object that contains a password. Username doesn’t matter for the credential. Just put the Password in the Password field.
PasswordProtector		Boolean	Indicates that BitLocker uses a password as a protector for the volume encryption key.	True False
Pin		PSCredential	Specifies a secure string object that contains a PIN. A TpmProtector must be used if Pin is used. Username doesn’t matter for the credential. Just put the Pin in the Password field.
RecoveryKeyPath		String	Specifies a path to a recovery key.
RecoveryKeyProtector		Boolean	Indicates that BitLocker uses a recovery key as a protector for the volume encryption key.	True False
RecoveryPasswordProtector		Boolean	Indicates that BitLocker uses a recovery password as a protector for the volume encryption key.	True False
Service		Boolean	Indicates that the system account for this computer unlocks the encrypted volume.	True False
SkipHardwareTest		Boolean	Indicates that BitLocker does not perform a hardware test before it begins encryption.	True False
StartupKeyPath		String	Specifies a path to a startup key.
StartupKeyProtector		Boolean	Indicates that BitLocker uses a startup key as a protector for the volume encryption key.	True False
TpmProtector		Boolean	Indicates that BitLocker uses the TPM as a protector for the volume encryption key. If TpmProtector is used, it must be the PrimaryProtector.	True False
UsedSpaceOnly		Boolean	Indicates that BitLocker does not encrypt disk space which contains unused data.	True False

Table 4. Attributes of category 'Bitlocker/AutoDisks'

Parameter	Attribute	DataType	Description	Allowed Values
DriveType	Key	String	The type of volume, as reported by Get-Volume, to auto apply Bitlocker to	Fixed Removable
MinDiskCapacityGB		Sint32	If specified, only disks this size or greater will auto apply Bitlocker
PrimaryProtector	Mandatory	String	The type of key protector that will be used as the primary key protector	PasswordProtector RecoveryPasswordProtector StartupKeyProtector TpmProtector
AutoUnlock		Boolean	Whether volumes should be enabled for auto unlock using Enable-BitlockerAutoUnlock	True False
AdAccountOrGroup		String	Specifies an account using the format Domain\User.
AdAccountOrGroupProtector		Boolean	Indicates that BitLocker uses an AD DS account as a protector for the volume encryption key.	True False
EncryptionMethod		String	Specifies the encryption algorithm to be used on the volume	Aes128 Aes256
HardwareEncryption		Boolean	Indicates that the volume uses hardware encryption.	True False
Password		PSCredential	Specifies a secure string object that contains a password. Username doesn’t matter for the credential. Just put the Password in the Password field.
PasswordProtector		Boolean	Indicates that BitLocker uses a password as a protector for the volume encryption key.	True False
Pin		PSCredential	Specifies a secure string object that contains a PIN. A TpmProtector must be used if Pin is used. Username doesn’t matter for the credential. Just put the Pin in the Password field.
RecoveryKeyPath		String	Specifies a path to a recovery key.
RecoveryKeyProtector		Boolean	Indicates that BitLocker uses a recovery key as a protector for the volume encryption key.	True False
RecoveryPasswordProtector		Boolean	Indicates that BitLocker uses a recovery password as a protector for the volume encryption key.	True False
Service		Boolean	Indicates that the system account for this computer unlocks the encrypted volume.	True False
SkipHardwareTest		Boolean	Indicates that BitLocker does not perform a hardware test before it begins encryption.	True False
StartupKeyPath		String	Specifies a path to a startup key.
StartupKeyProtector		Boolean	Indicates that BitLocker uses a startup key as a protector for the volume encryption key.	True False
TpmProtector		Boolean	Indicates that BitLocker uses the TPM as a protector for the volume encryption key. If TpmProtector is used, it must be the PrimaryProtector.	True False
UsedSpaceOnly		Boolean	Indicates that BitLocker does not encrypt disk space which contains unused data.	True False

Example

Bitlocker:
  Tpm:
    AllowClear: False
    AllowPhysicalPresence: True
    AllowImmediateReboot: True
  Disks:
    # System Drive at first
    - MountPoint:                'C:'
      PrimaryProtector:          TpmProtector
      TpmProtector:              True
      AllowImmediateReboot:      True
      UsedSpaceOnly:             True
    - MountPoint:                'D:'
      PrimaryProtector:          RecoveryPasswordProtector
      StartupKeyProtector:       True
      StartupKeyPath:            'A:'
      RecoveryPasswordProtector: True
      AllowImmediateReboot:      True
      UsedSpaceOnly:             True
  AutoDisks:
    - DriveType:                 Fixed
      PrimaryProtector:          TpmProtector
      TpmProtector:              True
      UsedSpaceOnly:             True
    - DriveType:                 Removable
      MinDiskCapacityGB:         16
      PrimaryProtector:          RecoveryPasswordProtector
      StartupKeyProtector:       True
      StartupKeyPath:            'A:'
      RecoveryPasswordProtector: True
      UsedSpaceOnly:             True

Recommended Lookup Options in Datum.yml (Excerpt)

lookup_options:

  Bitlocker:
    merge_hash: deep
  Bitlocker\Disks:
    merge_hash_array: UniqueKeyValTuples
    merge_options:
      tuple_keys:
        - MountPoint
  Bitlocker\AutoDisks:
    merge_hash_array: UniqueKeyValTuples
    merge_options:
      tuple_keys:
        - DriveType